Objectives

After completing this section, students should be able to detect and identify changes to files on a system that has AIDE installed, and manage AIDE checks and the AIDE detection database.

Analyzing File System Changes with AIDE

On an operating server, it is normal for files to be added, removed, and modified on its file systems. However, unexpected changes to certain files, such as executable programs and configuration files, might indicate unauthorized modifications or other security issues. Therefore, it is important to monitor those files for changes to their content, permissions, or other characteristics.

Red Hat Enterprise Linux provides Advanced Intrusion Detection Environment (AIDE), a user-space utility that can help with this monitoring. AIDE monitors files for a variety of changes including permission or ownership changes, time stamp changes (modification or access time stamps), or content changes.

Installing AIDE

The aide package is typically not installed by default. It needs to be installed, configured, and its initial database built before it can check file systems. The following command installs AIDE on the system.

[root@demo]# yum install aide

Configuring AIDE

The configuration file for AIDE is /etc/aide.conf. This file controls which files AIDE monitors for changes, and what characteristics are monitored for each file. For example, by default AIDE monitors most files in the /etc directory for permission changes only, but specific files are monitored more closely. As the security administrator, you might want to tune exactly what AIDE monitors for different parts of your computer's file system.

You can edit the /etc/aide.conf file to tune the operational behavior of AIDE. Each line in the file is a directive. The file contains three types of line: configuration lines, selection lines, and macro lines. Any line that starts with a hash (#) is a comment and has no effect.

Configuration Lines

The configuration lines adjust the configuration parameters of AIDE. These lines either tune the functional behavior of AIDE globally or set a group definition. Group definitions are used by selection lines to specify what characteristics of a file AIDE should monitor when detecting file system changes.

The syntax of a configuration line is parameter = value. Among the configuration parameters are:

A configuration line can also create a group definition. Group definitions are used with selection lines to set the characteristics of the file to monitor. For example, the default /etc/aide.conf file has the following group definition:

PERMS = p+u+g+acl+selinux+xattrs

This group definition creates a group named PERMS. If a selection line uses this group definition, files selected by that line will be monitored for changes to permissions (p), user (u), group (g), Access Control List permissions (acl), SELinux context (selinux), and file system Extended Attributes (xattrs).

The default configuration file has other predefined group definitions which are important. For example, the NORMAL group definition also checks for changes in SHA256 and SHA512 checksums, the size of the file, changes to the inode or number of links to the file, time stamp changes, and whether it is growing. The default configuration file and the aide.conf(5) man page have more details on the built-in groups available for group definitions.

Selection Lines

The selection lines specify the files and directories that AIDE monitors, and the changes for which AIDE will watch. Selection lines can be regular, equals, or negative.

A regular selection line is a regular expression matching the absolute path to a file or directory, followed by the name of a group definition. Files and directories matching that regular expression are added to the AIDE database, with checks performed as specified by the line's group definition. This effectively means that if the regular expression (regex) is /etc, then the regex will also recursively match all files and directories in the /etc directory.

An equals selection line starts with an equals (=) sign followed by a regex and a group definition. AIDE records the files that match the regular expression, considering all the checks the line's group definition mentions. However, an equals selection line will only match the children of directories if the regex ends with a forward slash (/) character. The children of subdirectories will not be recursively matched.

A negative selection line starts with a bang (!) character followed by a regular expression matching the absolute path to a file or directory. AIDE does not monitor files or directories that match a negative selection line.

The following lines are examples of selection lines:

/etc   PERMS
=/testdir   PERMS
!/etc/mtab

The first line is a regular selection line that matches /etc and recursively matches all files and directories in /etc. It applies the group definition PERMS to those files.

The second line is an equals selection line that matches exactly the directory /testdir but does not match its subdirectories. It also applies the group definition PERMS to that directory, but not the files or subdirectories in that directory.

The third line is a negative selection line that tells AIDE not to monitor the /etc/mtab file.

Macro Lines

The macro lines set or clear variables that are useful for referring to lengthy URLs or file-system paths in multiple occurrences throughout the AIDE configuration file.

The following snippet from the AIDE configuration file shows sample macro lines:

@@define DBDIR /var/lib/aide
@@define LOGDIR /var/log/aide

The macro lines, as above, define two variables, DBDIR and LOGDIR, that substitute /var/lib/aide and /var/log/aide directories respectively.

The following shows how to expand the variable, defined in a macro line.

database=file:@@{DBDIR}/aide.db.gz

This sets the database parameter to the value file:/var/lib/aide/aide.db.gz.

Initializing the AIDE Database

After AIDE has been installed, it is paramount to ensure that AIDE is aware of the current status of the file system. AIDE uses this known state of the file system as a reference point to detect and report on file system changes. Use the aide --init command to generate an initial AIDE database.

[root@demo]# aide --init

Verifying Integrity with AIDE

After AIDE is made aware of the current file system status, it can detect file system changes (if any) by comparing against the known status. To manually perform an integrity check, run the following command as root:

[root@demo]# aide --check

This command uses the AIDE configuration to compare the state of the system's files to the saved database. A report is printed on standard output and to the file /var/log/aide/aide.log by default.

In production, you should periodically run AIDE checks. If the AIDE database is kept on the local system, you might choose to use a cron job, systemd timer unit, or other system to automatically run the AIDE checks.

For example, you might set a cron job to run the AIDE integrity check every day at 5:00 PM by adding a file containing the following line to the /etc/cron.d directory.

00 17 * * * root /usr/sbin/aide --check

You could additionally configure the crontab file to email the report to an administrator.

Updating the AIDE Database

It is important to update the AIDE database after expected changes are made to the system. For example, a package update or authorized configuration file adjustment may change time stamps, permissions, or checksums on monitored files. To avoid AIDE reporting false positives, you need to update the database to reflect these authorized changes. After confirming that all remaining changes reported by AIDE are authorized, run the following command to update the AIDE database.

[root@demo]# aide --update